2 November 2022

The Attack on America’s Future Cyber-Enabled Economic Warfare

Samantha F. Ravich and RADM (Ret.) Mark Montgomery

Introduction

In 2018, the Foundation for Defense of Democracies (FDD) published a series of monographs analyzing cyber-enabled economic warfare (CEEW) as practiced by Russia, China, North Korea, and Iran. The four studies brought together for the first time an assessment of each adversary’s CEEW attacks on America’s economic infrastructure. At the time, the term CEEW was only beginning to seep into the consciousness of the U.S. national security community. The White House had used the term in its 2017 National Security Strategy, noting how adversaries are using technology to “weaken our businesses and our economy.”1 But the connection between such malicious activities and the overall strategies of America’s four principal adversaries remained unclear.

The risks associated with CEEW are now clearer, thanks less to the rigorous analysis of adversarial intentions than to the increased scale, scope, and frequency of attacks across the American economic landscape. Still, the federal government has a blind spot that leaves the United States vulnerable to a catastrophic strategic surprise — one that could simultaneously destabilize the U.S. electrical grid, water supply, banking system, transportation sector, or other critical infrastructure necessary for survival. That blind spot is intelligence that anticipates the adversary’s strategy. For too long, the United States has tried to patch its way to safety with the enemy inside its networks.

Roberta Wohlstetter’s 1962 book Pearl Harbor: Warning and Decision warns of the perils of missing “a particular enemy move or intention” amidst a vast amount of intelligence.2 The book has remained relevant over the decades as the United States successfully avoided a thermonuclear surprise attack by the Soviets, on the one hand, but failed to anticipate jet planes flying into skyscrapers, on the other. Wohlstetter informed generations of Cold War and counterterrorism intelligence analysts that signals not only must be gathered and illuminated to inform policymakers but must also be broken down and dissected to help guide future intelligence collection. Only then can the United States decipher the enemy’s decision-making structures and gain insight into the adversary’s larger strategic plan.

In FDD’s 2018 CEEW reports, we focused on reading the signals. Four years hence, this monograph’s updated chapters on Russia, China, North Korea, and Iran embark upon the hard task of breaking down and dissecting those signals. In each chapter, the authors analyze what these adversaries may do next and how the U.S. government and private sector might disrupt those plans.

RUSSIA

In his 2018 monograph for FDD, Boris Zilberman was one of the first scholars to detail how Moscow employs both state actors and proxies to get inside the information and communications technology (ICT) supply chain that is vital to America’s economic wherewithal. He documented how Kaspersky Lab demonstrated “technical knowhow, market foresight, and government cooperation [to] produce not only a global tech giant but also a serious national security threat.”3

Today, as Ryan Tully and Logan Weber describe herein, the Kremlin exploits “the gaps that prevent Washington from definitively attributing hostile cyber actions to the Russian government.” The authors emphasize that “Russia’s intelligence services seem to understand, perhaps better than American lawmakers, the constraints on the U.S. intelligence community when a foreign adversary shifts — physically or virtually — from operating outside of American borders to operating from within.” As Tully and Weber note, the U.S. intelligence community is generally restricted from looking inward at the U.S. populace or infrastructure. Thus, policymakers must grapple with difficult tradeoffs between security and privacy embedded within the current legal framework. Tully and Weber also urge greater intelligence collection and analysis of “Moscow’s surveillance dragnet” as an “enabler of CEEW operations abroad.”

As this volume approached publication, Russia invaded Ukraine. Russian artillery continues to pulverize Ukrainian villages, while Russian missiles wreak havoc in major cities. The Kremlin even rattled its nuclear saber. Generally missing in action, however, was Russia’s vast cyber capability. While there were some notable attacks such as that against California-based global satellite communications provider Viasat,4 there was no “shock and awe” cyberattack that crippled Ukraine’s critical infrastructure in one fell swoop. Rather, there were “hundreds of far more subtle attacks, many timed to coincide with incoming missile or ground attacks.”5 Theories vary as to why. One theory that will require more investigation: Did the Kremlin worry that a significant cyber strike might quickly leap from the Ukrainian battlefield to other domains, inviting Western retaliation? As National Cyber Director Chris Inglis hypothesized, perhaps the Russians “kind of understand that there are thresholds — they don’t know quite where those thresholds are, and they don’t want to cross those.”6

While the fog of war is too dense to discern potential shifts in Russia’s longer-term CEEW strategy, the analysis presented here sets the stage for understanding how Russia may deploy its cyber capabilities over the next few years given its unimpressive display of hard power in Ukraine and an economy weakened due to Western sanctions. The Kremlin will have limited options to undermine its adversaries — which have multiplied in the last few months. The war in Ukraine will force Russia to prioritize asymmetric means to seek revenge and regain parity. CEEW will become an increasingly attractive option.

CHINA

The Chinese CEEW battlespace has also grown more complex and dangerous since 2018, when author Zack Cooper explored the changing contours of China’s cyber operations. Cooper wrote that China’s hostile CEEW activity had “not garnered the public attention warranted by its severity” despite the fact that “China is engaged in wide-ranging cyber intrusions and network exploitations causing massive damage to U.S. and other foreign firms annually.”7

After four additional years of attacks and broken promises from the People’s Republic of China, we pick up the narrative where Cooper left off, exploring the fundamentals of Chinese CEEW, writing that it grows out of central tenets in China’s “long-standing approach to political warfare.” Chinese doctrine views cyber and economic tools as “direct and powerful means of influencing public opinion, altering an adversary’s political environment, and diminishing its resolve in a crisis.”

The chapter digs into the Chinese Communist Party’s (CCP’s) quest for control of global ICT infrastructure and the “technologies, supply chains, and services that constitute it,” noting this “is a central front” in CEEW. To understand and then undermine China’s CEEW strategy going forward, the United States should focus on ICT, which includes 5G and other telecommunications equipment, satellite navigation, cloud computing, and integrated circuits. China seeks to dismantle the U.S. and allied stake in these markets through cyber-espionage and sabotage as well as non-market coercion so that Beijing can “control key nodes in the global economy.” A powerful tool to combat risks associated with Chinese ICT in U.S. critical infrastructure is Executive Order 13873 of 2019, “Securing the Information and Communications Technology and Services Supply Chain.”8 Codifying this executive order in law could provide the Commerce Department with the will and resources needed to “establish a quasi-‘import control’ regime around ICT equipment.”

NORTH KOREA

The evolution of North Korean and Iranian CEEW over the last four years should compel U.S. policymakers to ask whether the intelligence community has more than a passing understanding of the enemy’s plan.

FDD’s North Korea monograph in 2018 analyzed how the Kim regime deploys its cyber capabilities as an “All-Purpose Sword.” Authors David Maxwell and Mathew Ha wrote, “As diplomatic efforts to dismantle North Korea’s nuclear weapons program move forward — or even if they do not — the flexibility and plausible deniability of cyber capabilities may make them an even more attractive weapon for the Kim regime.”9

And yet, as Ha notes in his update, Pyongyang has not employed its cyber capabilities for military ends in recent years. Rather, North Korea has wielded its all-purpose sword “to reap financial, political, and strategic benefits that are essential to prolonging the Kim regime’s survival,” with a primary focus on “financially motivated cybercrime.” Ha posits that the Kim regime “has calibrated its cyber provocations to remain within the gray zone between war and peace so as not to elicit a military response from South Korea and the United States.” At what point this calculus might change is not clear. Continued disintegration of North Korea’s domestic economy may lead Kim to move away from grand larceny and toward CEEW to coerce financial concessions from Washington and its allies. Or the Kim regime may simply miscalculate the line that separates the gray zone from outright warfare. These scenarios require continued vigilance and analysis to predict and prevent.

Ha makes a strong case that a potential shift in North Korea’s CEEW strategy toward a more aggressive stance could occur as the regime fills its cryptocurrency coffers. Pyongyang’s persistent theft from cryptocurrency exchanges could enable it to “build large reserves in numerous cryptocurrencies to spend in a cryptocurrency-based system of exchange independent of the U.S.-led financial system.” Ha explores Pyongyang’s development of a cryptocurrency-based system as a potential pathway to juche (“self-reliance”) — the bedrock of the Kim regime’s ideology. With the total value of the cryptocurrency market around $1 trillion,10 the allure for the cash-strapped North Korean regime is obvious. Still, Ha acknowledges that Pyongyang’s “ability to leverage cryptocurrencies for these greater objectives will likely be contingent upon technological advances by other rogue states with more robust economies that are more important to global trade.” The United States should carefully monitor whether North Korea is leveraging Russian and Chinese advances in the field of digital currency to undermine the international sanctions regime built to thwart Pyongyang’s nuclear and missile ambitions.

IRAN

Like North Korea, the Islamic Republic of Iran has seemingly pulled back on its CEEW activities, though it is not clear why.

Annie Fixler observes that Tehran clearly has the means to conduct such attacks, as illustrated by Iran’s distributed denial of service (DDoS) attacks on the U.S. financial sector in 2011–2013, the Shamoon attacks against Saudi Aramco in 2012, and the 2019 cyberattacks against Bahrain’s Electricity and Water Authority. Still, despite the U.S. assassination of Qassem Soleimani, commander of the Islamic Revolutionary Guard Corps Quds Force — Iran has refrained from wielding CEEW in a more devastating fashion over the past four years. Iranian hackers, however, have demonstrated improving capabilities and an ability to learn lessons from the successful operations of other U.S. adversaries.

Fixler counsels that the lack of “spectacular cyberattacks against the United States” should not lead policymakers to assume the United States has deterred Iran. There is not enough evidence to make this judgement. And even if Iran were temporarily deterred in its use of CEEW, “[d]eterrence is not static,” as Fixler thoughtfully writes. “It requires regular maintenance.”

If Fixler is right that Iran, like North Korea, has relegated CEEW tools and techniques to the fringes, there may be lessons for deterring non-near-peer competitors and rising cyber-weapon states. However, as Fixler concludes, “Underestimating a committed adversary is dangerous, and a misdiagnosis risks underinvestment in intelligence gathering, leading to strategic surprise.” While it is possible Washington has deterred Iran, it is equally likely Tehran has “elected not to expend limited resources on destructive attacks but to maintain the capability to employ them later on. After all, cyber-espionage can always be a steppingstone to more aggressive operations, and it can be difficult to parse motive from a few lines of code.” Washington “cannot afford to discount or dismiss Iran as a significant cyber threat.”

RECOMMENDATIONS

In addition to the country-specific recommendations in this monograph, the United States should undertake the following overarching steps to better protect itself against CEEW.

1. Improve focus within the intelligence community on the CEEW challenge. With America’s nation-state adversaries developing and utilizing CEEW tools, the intelligence community must bring increased focus to this issue. It must prioritize resources and personnel to better understand adversary CEEW campaigns, particularly the adversary’s economic interests, and to determine how to rapidly assess and distribute this information to allies and private-sector partners. The Office of the Director of National Intelligence’s National Counterintelligence and Security Center is positioned to lead this effort, alongside efforts underway at the Treasury Department, if properly tasked and resourced.

2. Improve public-private collaboration efforts to prepare for the CEEW threat. The United States needs an improved capacity to withstand CEEW attacks while reducing their frequency, scope, and scale. The nation must be prepared to respond to and recover from an attack, sustain critical functions even under degraded conditions, and, in some cases, restart those functions after a disruption. The United States must also raise the level of security across the cyber ecosystem. Because the private sector owns and operates the vast majority of that ecosystem, scaling up security necessitates public-private cooperation. The public and private sectors need to identify, assess, and mitigate risk across all elements of critical infrastructure in order to defend it. The government must build a better understanding of threats, with the aim of informing the private sector and directing government efforts to counter malicious cyber activities. While recognizing that private-sector entities have primary responsibility for the defense and security of their networks, the U.S. government has unique authorities, resources, and offensive cyber capabilities it can employ to support the private sector.

3. Develop economic contingency plans. A critical element of public-private collaboration is economic planning. While Washington has adequately identified and planned for key military contingencies, it must account for the entire spectrum of conflict where CEEW could occur. Adversaries will likely operate in the gray zone, skirting the line of armed conflict. They are likely to wage war first on an economic front or by employing a combination of economic coercion and critical-infrastructure disruption to raise pressure on the United States and its allies. To develop economic contingency plans, Washington needs a better understanding of U.S. and allied economic strengths and vulnerabilities. This planning should include economic actions that impose costs on attackers. (See the following recommendation.) It should also map out a list of options to mitigate risks, build resilience, and rapidly restart the economy. A key component of this economic contingency planning is the government-led Continuity of the Economy efforts directed by the National Defense Authorization Act for Fiscal Year 2021 (FY2021 NDAA). These efforts will help coordinate, exercise, and refine government and private-sector efforts to build economic resilience. They will help ensure the United States is not caught flat-footed by an adversary’s CEEW efforts and will assist in the rapid restart and recovery of the U.S. economy in case of a widespread disruption.

4. Expand the use of economic statecraft. Economic statecraft tools, such as sanctions and export controls, are appropriate responses to adversary CEEW attacks, since they are reciprocal. Sanctions could impose withering costs on the officials, firms, and governments who direct or benefit from acts of CEEW, especially if the sanctions are multilateral. Meanwhile, export controls — again, preferably multilateral — can limit access to key Western technologies that facilitate economic warfare against the United States and its allies. In addition, restrictions on the use of ICT equipment and services received from companies in hostile states can mitigate the risk of those governments, particularly China, utilizing the technological reach of their companies for cyber-enabled intellectual property (IP) theft and critical-infrastructure disruption.

5. Improve U.S. gray zone capabilities. To compete effectively in the gray zone, the United States and its allies must be willing to employ diplomatic, information, military, and economic tools using a strategic approach involving “defend forward” operations. The concept of defend forward posits that to disrupt and defeat ongoing adversary campaigns, the United States must proactively and persistently detect, observe, pursue, and counter adversaries’ operations and, where appropriate, impose costs on the adversary. The concept further posits that proactive responses to adversary gray zone operations signal that the U.S. government will respond to CEEW attacks, even those that do not cause physical destruction or death. Among other things, this will require the development of comprehensive information operations campaigns to counter adversary disinformation and support U.S. policies and interests.

Whereas FDD’s 2018 monographs were meant as a clarion call to recognize the importance of CEEW, the chapters contained herein seek to encourage intelligence gathering and responses to the adversary’s CEEW battle plan. Now more than ever, as American lives are dependent upon a network that moves at the pace of data, the United States must live by the credo, “To be forewarned is to be forearmed.”

No comments: